Convert the state actions to use the 'state' action option

- Also avoid the CLI having to know about builtin actions Signed-off-by: Tom Eastep <teastep@shorewall.net>
2024-12-22 14:20:40 +01:00 · 2016-03-14 14:54:09 -07:00 · 2016-03-14 14:54:09 -07:00 · 3c544b20e6
commit 3c544b20e6
parent dd547c90a8
7 changed files with 51 additions and 115 deletions
--- a/Shorewall-core/lib.cli
+++ b/Shorewall-core/lib.cli
@ -922,23 +922,10 @@ show_events() {
 }
 show_actions() {
    echo "A_ACCEPT                        # Audit and accept the connection"
    echo "A_DROP                          # Audit and drop the connection"
    echo "A_REJECT                        # Audit and reject the connection "
    echo "allowBcast                      # Silently Allow Broadcast/multicast"
    echo "allowInvalid                    # Accept packets that are in the INVALID conntrack state."
    echo "allowinUPnP                     # Allow UPnP inbound (to firewall) traffic"
    echo "allowoutUPnP                    # Allow traffic from local command 'upnpd' (does not work with kernels after 2.6.13)"
    echo "dropBcast                       # Silently Drop Broadcast/multicast"
    echo "dropInvalid                     # Silently Drop packets that are in the INVALID conntrack state"
    echo "dropNotSyn                      # Silently Drop Non-syn TCP packets"
    echo "forwardUPnP                     # Allow traffic that upnpd has redirected from"
    echo "rejNotSyn                       # Silently Reject Non-syn TCP packets"
    if [ -f ${g_confdir}/actions ]; then
-	cat ${g_sharedir}/actions.std ${g_confdir}/actions | grep -Ev '^\#|^$'
+	cat ${g_sharedir}/actions.std ${g_confdir}/actions | grep -Ev '^[#?[:space:]]|^$'
    else
-	grep -Ev '^\#|^$' ${g_sharedir}/actions.std
+	grep -Ev '^[#?[:space:]]|^$' ${g_sharedir}/actions.std
    fi
 }
--- a/Shorewall/action.Established
+++ b/Shorewall/action.Established
@ -30,19 +30,6 @@
 DEFAULTS ACCEPT
-?begin perl;
+#
-
+# All logic for this action is supplied by the 'state' option in actions.std
-use Shorewall::IPAddrs;
+#
 use Shorewall::Config;
 use Shorewall::Chains;
 use Shorewall::Rules;
 my ( $action ) = get_action_params( 1 );
 if ( my $check = check_state( 'ESTABLISHED' ) ) {
    perl_action_helper( $action, $check == 1 ? state_match('ESTABLISHED') : '', 'ESTABLISHED' );
 }
 1;
 ?end perl;
--- a/Shorewall/action.Invalid
+++ b/Shorewall/action.Invalid
@ -30,24 +30,6 @@
 DEFAULTS DROP,-
-?begin perl;
+#
-
+# All logic for this action is triggered by the 'audit' and 'state' options in actions.std
-use Shorewall::IPAddrs;
+#
 use Shorewall::Config;
 use Shorewall::Chains;
 use Shorewall::Rules;
 my ( $action, $audit ) = get_action_params( 2 );
 if ( supplied $audit ) {
     fatal_error "Invalid parameter ($audit) to action Invalid" if $audit ne 'audit';
     $action = "A_$action";
 }
 if ( my $check = check_state( 'INVALID' ) ) {
    perl_action_helper( $action, $check == 1 ? state_match( 'INVALID' ) : '' , 'INVALID' );
 }
 1;
 ?end perl;
--- a/Shorewall/action.New
+++ b/Shorewall/action.New
@ -22,7 +22,7 @@
 #       along with this program; if not, write to the Free Software
 #       Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
 #
-#   Untracked[([<action>])]
+#   New[([<action>])]
 #
 #       Default action is ACCEPT
 #
@ -30,19 +30,6 @@
 DEFAULTS ACCEPT
-?begin perl;
+#
-
+# All logic for this action is supplied by the 'state' option in actions.std
-use Shorewall::IPAddrs;
+#
 use Shorewall::Config;
 use Shorewall::Chains;
 use Shorewall::Rules;
 my ( $action ) = get_action_params( 1 );
 if ( my $check = check_state( 'NEW' ) ) {
    perl_action_helper( $action, $check == 1 ? state_match( 'NEW' ) : '' , 'NEW' );
 }
 1;
 ?end perl;
--- a/Shorewall/action.Untracked
+++ b/Shorewall/action.Untracked
@ -29,19 +29,6 @@
 ##########################################################################################
 DEFAULTS DROP
-?begin perl;
+#
-
+# All logic for this action is supplied by the 'state' option in actions.std
-use Shorewall::IPAddrs;
+#
 use Shorewall::Config;
 use Shorewall::Chains;
 use Shorewall::Rules;
 my ( $action ) = get_action_params( 1 );
 if ( my $check = check_state( 'UNTRACKED' ) ) {
    perl_action_helper( $action, $check == 1 ? state_match( 'UNTRACKED' ) : '' , 'UNTRACKED' );
 }
 1;
 ?end perl;
--- a/Shorewall/actions.std
+++ b/Shorewall/actions.std
@ -8,21 +8,18 @@
 #
 # Builtin Actions are:
 #
-#    A_ACCEPT           # Audits then accepts a connection request
+?if 0
-#    A_DROP             # Audits then drops a connection request
+A_ACCEPT                        # Audits then accepts a connection request
-#    A_REJECT		# Audits then drops a connection request
+A_DROP                          # Audits then drops a connection request
-#    allowBcast		# Silently Allow Broadcast/multicast
+A_REJECT		        # Audits then drops a connection request
-#    dropBcast		# Silently Drop Broadcast/multicast
+allowBcast		        # Silently Allow Broadcast/multicast
-#    dropNotSyn		# Silently Drop Non-syn TCP packets
+dropBcast		        # Silently Drop Broadcast/multicast
-#    rejNotSyn		# Silently Reject Non-syn TCP packets
+dropNotSyn		        # Silently Drop Non-syn TCP packets
-#    allowoutUPnP	# Allow traffic from local command 'upnpd' (does not
+rejNotSyn		        # Silently Reject Non-syn TCP packets
-#                       # work with kernel 2.6.14 and later).
+allowinUPnP	                # Allow UPnP inbound (to firewall) traffic
-#    allowinUPnP	# Allow UPnP inbound (to firewall) traffic
+forwardUPnP	                # Allow traffic that upnpd has redirected from 'upnp' interfaces.
-#    forwardUPnP	# Allow traffic that upnpd has redirected from
+Limit                           # Limit the rate of connections from each individual IP address
-#			# 'upnp' interfaces.
+?endif
 #    Limit              # Limit the rate of connections from each individual
 #                       # IP address
 #
 ###############################################################################
 #ACTION
 A_Drop 		                # Audited Default Action for DROP policy
@ -35,16 +32,20 @@ DNSAmp                          # Matches one-question recursive DNS queries
 Drop		                # Default Action for DROP policy
 dropInvalid  inline		# Drops packets in the INVALID conntrack state
 DropSmurfs   noinline           # Drop smurf packets
-Established  inline		# Handles packets in the ESTABLISHED state
+Established  inline,\		# Handles packets in the ESTABLISHED state
 	     state=ESTABLISHED  #
 GlusterFS    inline		# Handles GlusterFS
 IfEvent      noinline           # Perform an action based on an event
-Invalid      inline             # Handles packets in the INVALID conntrack state
+Invalid      inline,audit,\     # Handles packets in the INVALID conntrack state
-New	     inline             # Handles packets in the NEW conntrack state
+             state=INVALID      #
 New	     inline,state=NEW	# Handles packets in the NEW conntrack state
 NotSyn       inline,audit       # Handles TCP packets which do not have SYN=1 and ACK=0
 Reject                          # Default Action for REJECT policy
-Related      inline             # Handles packets in the RELATED conntrack state
+Related      inline,\		# Handles packets in the RELATED conntrack state
             state=RELATED      #
 ResetEvent   inline		# Reset an Event
 RST	     inline,audit       # Handle packets with RST set
 SetEvent     inline		# Initialize an event
 TCPFlags    			# Handle bad flag combinations.
-Untracked    inline             # Handles packets in the UNTRACKED conntrack state
+Untracked    inline,\           # Handles packets in the UNTRACKED conntrack state
 	     state=UNTRACKED    #
--- a/Shorewall6/actions.std
+++ b/Shorewall6/actions.std
@ -8,11 +8,12 @@
 #
 # Builtin Actions are:
 #
-#    allowBcasts        # Accept multicast and anycast packets
+?if 0
-#    dropBcasts         # Silently Drop multicast and anycast packets
+allowBcasts                     # Accept multicast and anycast packets
-#    dropNotSyn		# Silently Drop Non-syn TCP packets
+dropBcasts                      # Silently Drop multicast and anycast packets
-#    rejNotSyn		# Silently Reject Non-syn TCP packets
+dropNotSyn		        # Silently Drop Non-syn TCP packets
-#
+rejNotSyn		        # Silently Reject Non-syn TCP packets
 ?endif
 ###############################################################################
 #ACTION
 A_Drop	                        # Audited Default Action for DROP policy
@ -26,15 +27,19 @@ Broadcast    noinline      	# Handles Broadcast/Multicast/Anycast
 Drop		        	# Default Action for DROP policy
 dropInvalid  inline		# Drops packets in the INVALID conntrack state
 DropSmurfs   noinline     	# Handles packets with a broadcast source address
-Established  inline		# Handles packets in the ESTABLISHED state
+Established  inline,\		# Handles packets in the ESTABLISHED state
 	     state=ESTABLISHED
 IfEvent      noinline           # Perform an action based on an event
-Invalid	     inline		# Handles packets in the INVALID conntrack state
+Invalid      inline,audit,\     # Handles packets in the INVALID conntrack state
-New	     inline             # Handles packets in the NEW conntrack state
+             state=INVALID
 New	     inline,state=NEW	# Handles packets in the NEW conntrack state
 NotSyn	     inline 		# Handles TCP packets that do not have SYN=1 and ACK=0
 Reject		        	# Default Action for REJECT policy
-Related      inline             # Handles packets in the RELATED conntrack state
+Related      inline,\		# Handles packets in the RELATED conntrack state
             state=RELATED
 ResetEvent   inline		# Reset an Event
 RST	     inline             # Handle packets with RST set
 SetEvent     inline		# Initialize an event
 TCPFlags    			# Handles bad flags combinations
-Untracked    inline             # Handles packets in the UNTRACKED conntrack state
+Untracked    inline,\           # Handles packets in the UNTRACKED conntrack state
 	     state=UNTRACKED